Raashid Bhat

Malware Research Blog.

Read this first

Analysing Windows Malware on Apple Mac M1/M2 ( Windows 11 ARM ) - Part I

x86/x64 emulation internals on Windows 11 ARM

Note 25-Dec-2023 at 50035 PM copy.jpeg

Introduction

Since the introduction of Intel processors for the MacBooks, malware analysis on Mac has become quite popular, and it has become the hardware of choice for malware analysts.

With the introduction of the Mac M1, the landscape has changed significantly. The processor is no longer Intel-based but ARM-based. This shift has caused heartbreak for malware analysts, as native virtualization is necessary for effective malware analysis. While emulation like qemu is possible, it often proves to be more trouble than it is worth, serving as a nuisance.

Fortunately, there exists a version of Windows that can run natively on ARM hardware—the Windows ARM version OS. This offers backward compatibility and includes an emulation layer for running both 32-bit and 64-bit Windows applications. Combining these capabilities provides a viable...

Continue reading →


Operation Duckhunt : Field Testing the FBI’s Anti-Qakbot Payload

Screen Shot 2023-09-04 at 3.34.14 PM.png

In a significant development, the FBI declared today that the Qakbot botnet has been successfully dismantled through a collaborative international law enforcement effort. This operation not only involved the confiscation of the botnet’s infrastructure, but it also involved the removal of the malware from compromised devices or not necessarily ?

Summary

  • FBI’s payload only terminated the payload from the memory.

  • Some earlier versions didn’t have the CMD_0x04 implemented, so some of the infections would still be alive. To tackle this problem, FBI could have used Cmd18_UpdateQakbotBinary to uninstall the binary from the infected machine.

  • As some of the infections would still be alive (due to many reasons), I have released a remediation tool Anti-Qakbot
    to detect and kill the QakBot process on an infected system.

What did FBI actually deliver

After gaining access to top-tier...

Continue reading →


How I Contacted Russian Hackers Via Telegram

Furthermore, Tracing Their Geographic Coordinates

Screen Shot 2023-08-25 at 8.13.07 PM.png

Introducing Botgram, the epitome of innovation in the world of international diplomacy! Because who needs secure channels and established communication protocols when you can have a Windows app to send your messages across the Kremlin? Move over, traditional methods of discreet communication, because Botgram is here to revolutionize the way political intrigue and sensitive information are handled.
Recording 2023-08-28 234543 (2).gif

Oh, as if mere chatting with our buddies wasn’t enough entertainment! We’ve taken it upon ourselves to become the ultimate surveillance overlords using the mystical powers of Thinkst Canary tokens . Why settle for casual conversation when you can become Sherlock Holmes on steroids, tracking our pals and their epic journey back home post a wild vodka weekend at the local dive?

Screen Shot 2023-08-28 at 2.00.44 PM.png

I am not releasing the code or binary for Botgram because it
...

Continue reading →


Relocating BaseAddress Agnostic Memory Dumps

Often times we need a loaded base address of a memory image that needs to be disk realigned in order to load it and parse the binary successfully in binary analysis tools like IDA or debuggers .

During linking phase the Preferred Base Address is selected and all absolute addresses are set relative to this particular address .

Relocation table for a PE file consists of following fields 



typedef struct _IMAGE_BASE_RELOCATION {
    DWORD   VirtualAddress;
    DWORD   SizeOfBlock;
//  WORD    TypeOffset[1];
} IMAGE_BASE_RELOCATION;

The VirtualAddress consists virtual offset to a 4kb page where relocations are applied to that page , sizeofblock is size of 2 byte array consists of offsets to relocation targets in the same page . Base relocation can have multiple relocation entries .

pasted-image-10.png

During the image loading process , if the LoadedBase address is different from preferred base...

Continue reading →


Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection

Most organizations opt for an incidence response , after a catastrophic cyber security event has taken place . Incidence response and threat hunting focus on events that happen after an endpoint is hit by a cyber attacks ,for example a malware infection . One of the main goals of a holistic approach for threat hunting and incidence response is to determine the extent of damages done by the attack and recover as much possible from it .

In this blog post , I will present a scenario of threat hunting and Incidence response out of a malware infection on an endpoint .

First step in threat hunting is to look for infection markers , and a basic way to figure out a malware infection is to look for any suspicious running processes

pasted-image-10.png

Quickly we are able to locate a suspicious running process named as
Pckntl.exe . This is what most people do next , upload the file to virus total, but often...

Continue reading →


Dissecting Emotet’s network communication protocol

images.png

Request Packet format

Communication protocol for any malware lies at the core of its functionality . It is the essential way for any malware to communicate and receive further commands . Emotet has a complex communication format .
Its peculiarities are the way the protocol is built and sent across the network . Knowing internal details of its communication format is essential to keep tabs on it . In this post we are going to analyze Emotet communication format .


we will be skipping the unpacking and reconstruction part , as it is irrelevant to this topic of discussion .

In this post , we will be specifically looking for areas of interest in the binary , there will be some parts that are analyzed preemptively .

An unpacked emotet sample has around ~100 functions , as populated by IDA . Going through each of them to look for communication subroutines would be “A short in the dark”...

Continue reading →


A taste of our own medicine : How SmokeLoader is deceiving configuration extraction by using binary code as bait

A taste of our own medicine : How smokeloader is deceiving dynamic configuration extraction by using binary code as bait

Recently an interesting smoke loader sample caught my eye ,and moreover I had to put smoke loader monitoring under scrutiny , as my monitoring script found it hard to locate a live c2 . Then suddenly something strange I noticed on the dashboard , the output c2’s from the configuration extraction script and the generated pcap were different

pasted-image-10.png
Output From config extraction

pasted-image-14.png
Pcap generated output

Notice the subtle difference between two outputs ?

A configuration extraction script is essentially an instrumenting script ( using windbg or a memory acquisition tool) to extract configuration ( c2’s , keys , campaigns, etc ) from a running malware binary . It’s sole purpose is to capture a pattern in a binary to extract certain parameters...

Continue reading →


Dissecting DEloader malware with obfuscation

DEloader is a loader malware which is mostly used to load Zeus banking trojan . 
It is a stealth malware designed to keep the payload hidden and encrypted in the memory . A payload is dynamically retrieved from a remote https server 

So far there have been 3 versions of DEloader captured in the wild . Version 0x10E0700 , 0x1050500h and 0x1120300h. More recently in version 0x1120300h they added code obfuscation

Main loader file is a DLL with export named as ‘start’ or ‘begin’ . These exports are called by packer . Essentially because this DLL is memory loaded image , imports and images are relocated via the code in these exports
1.png

Earlier version included a share file map as a marker for infection . Shared file mapping would contain necessary information for the Deloader to run
2.png

If the mapping is found, the data from the map is fed to decoding algorithm which is based on Rc4 and...

Continue reading →


Using concolic execution for static analysis of malware

1.jpg

Reverse engineering is about reducing the complex equation of binary code into na abstract understandable form . Dynamic and static analysis can speed up the process to a large extent , but they have their limitations when malware further tries to obfuscate and add an extra layer of protection to make analysis harder . Hiding import calls , obfuscated strings , use of visualized code are some of the techniques which hinder static analysis ,even when binary is finally stripped to its original form . These entities are dynamically retrieved by a malware sample 



Often times writing scripts is further required to recover hidden entities ( imports, strings , opcodes etc.)

Below is an example of Tofsee spam bot , which features string obfuscation . Strings in this trojan are dynamically generated using a simple algorithm which extracts them from an encoded data buffer .

2.JPG

An easier...

Continue reading →


A Guide to Malware Binary Reconstruction

Often we come across times where binary reconstruction while analyzing malware / unpacking malware is required . Taking leverage of automated tools is not always useful, sometimes manual reconstruction is required. In this blog we will cover up manual and automated binary reconstruction .

Reconstructing IAT from stolen API code

This technique is used to hinder IAT construction after malware finishes unpacking its code, but first we need to understand how IAT is implemented in PE (portable executable).

IAT basics

IAT (Import Address Table) is an internal structure in PE file . It consists of information to instruct windows loader to load and resolve dynamic link libraries and corresponding API function addresses. If you examine a PE file you will notice two pointers in the IMAGE_OPTIONAL_HEADER . One points to an internal structure _IMAGE_IMPORT_DESCRIPTOR a part of which further...

Continue reading →